These slides discuss the WHEN and HOW of various common and special purpose extensions in Burp Suite for application security testing. It was presented in Null Bangalore as a Puliya session by Neelu Tripathy.
3. REPLICATOR
• Pentesting Focused
• Replicate PoC for Developers
• Used Twice > Before and After FIX Applied
• One Vector Per Instance
• Specially where encoding/fuzzing is involved
• Developer: Should Understand it is just a PoC & can have variations
• Finding Wise: User wise session macro
4. MODES
TESTER MODE
• Immediate PoC from Burp Suite
• Input from Other Tabs > Replicator
• Regex: Specify Expressions Manually
• Create Session Macro
• Scrub cookies
• Test All
• Save to replicator.json
DEVELOPER MODE
• Load replicator.json
• Use inbuilt session macros
• Works across Environments(dev, pre-
prod, etc)
• Clearing Cookies > Test All
• Apply Fix
• Test All
5. WHEN TO USE
PROOF OF CONCEPT
Team awareness:
Developers, Test Teams,
Security Testing
As a substitute for
documentation:
Incremental testing
LIMITATIONS
Not Exhaustive: Cross Site
Scripting, SQl Injections,
Permutational Issues
WAF in Place
9. ATTACK SURFACE
Sign the
Message
Sign the
Assertion
Sign the
Assertion
and later
sign the
Message
Tampering
Public
Keys and
Certificat
es
Service
Provide
and
Identity
Provider
10. E X A M P L E S
TA M P E R I N G
S I G N AT U R E
WRAPPING
11. LOGGER++
• Soroush Dalili & Corey Arthur
• Log All You Want
• Free
• Also logs Sequencer, Spider, Intruder and so on..
• Save and Export as CSV
• Grepping
• Versatile Filters(Method, Query, Request, Response,…)
13. ACTIVE SCAN ++
• James Kettle
• Pro Burp Suite
• Advanced Testing On Top Of Existing
Active Scan
• Esoteric Issues
Deployment Pre-Requisites
• Jython 2.5 or later
• jython-standalone-2.5.jar
• activeScan++.py
14. WHAT DO WE
GET
Struts2 RCE - CVE-2017-5638 / S2-045
Host Header Injection (password reset poisoning, cache
poisoning, DNS rebinding)
CVE-2014-6271/CVE-2014-6278 'shellshock' and CVE-2015-
2080, CVE-2017-5638, CVE-2017-12629
Edge Side Includes
XML Input Handling
Blind code injection via expression language, Ruby's open()
and Perl's open()